Introduction

This document describes how to configure Access Control Policy (ACP) Rules to inspect traffic which comes from Virtual Private Network (VPN) tunnels or Remote Access (RA) users and use a Cisco Adaptive Security Appliance (ASA) with FirePOWER Services as Internet Gateway.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

AnyConnect, Remote Access VPN and/or Peer-to-Peer IPSec VPN.

Firepower ACP configuration.

ASA Modular Policy Framework (MPF).

Components Used

The information in this document is based on these software and hardware versions:

ASA5506W version 9.6(2.7) for ASDM example

FirePOWER module version 6.1.0-330 for ASDM example.

ASA5506W version 9.7(1) for FMC example.

FirePOWER versoin 6.2.0 for FMC example.

Firepower Management Center (FMC) version 6.2.0

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Problem

ASA5500-X with FirePOWER Services is unable to filter and/or inspect AnyConnect users traffic as same as traffic sourced by other locations connected by IPSec tunnels that use a single point of permietral content security.

Another symptom this solution covers is to be unable to define specific ACP rules to the mentioned sources without other sources affectation.

This scenario is very common to see when TunnelAll design is used for VPN solutions terminated on an ASA.

Solution

This can be achieved through multiple ways. However, this scenario covers inspection by zones.

ASA configuration

Step 1. Identify the interfaces where AnyConnect users or VPN tunnels connect to the ASA.